Scope….or, why can’t you just send me a form?

Scoping….the process of gathering data to put together a statement of work for a client.

To be 100% honest, I love scoping. And MSI doesn’t scope via form letter, although I’ve seen a variety of companies take this approach.

Is it because I want to talk to you? Well, partially – I do enjoy the vast majority of our clients. But here’s where I think the “fill in the form” plan fails.

First, when you’re not engaged in conversation, you’re viewing the client requirements with an eye towards putting a peg in the hole of one of your offerings. Even if that ends up to be a square peg in a round hole.

Second, the conversation often takes many twists and turns. As we talk about MSI, and our capabilities…it will happen that what a client asks for isn’t precisely what they need. We can offer a different service, and help them get to their end goal in a different way. And this isn’t always more services…it’s equally likely that it will be less, or a custom variation on a service we already have. The majority of clients don’t fall into “canned” services….and it’s refreshing to talk to them when they’re also engaging other vendors simply dropping them into a slot.

So the first question of any scoping conversation is – what is the purpose? What problem are you trying to solve? Is it regulatory – you have to have X assessment? Is something broken? Or are you trying to become aware of some security gaps – whatever they may be.

That’s the springboard of the conversation, helps us get to know you, and helps you to get the right mix of services. It’s personalized, customized, and based on individual attention from our sales and technical staff.

The next piece of serious hands-on attention comes when we’ve gathered the details for the engagement. Does the information provided make sense? If you’re a financial services firm, and you’ve chosen to be measured against HIPAA, is that really the right choice for you? The push-button approach may miss that.

Another item that’s fairly common is typos or inaccurate information in the network space provided. So we’ll do passive recon on the information provided. Does the IP space really belong to your company? Are you using hosting via AWS, which requires an additional penetration test form? Are you using a host like Rackspace that has additional contract stipulations on penetration testing?

Throughout the engagement, there are more personal touches. Via our project management portal, the engineers working on your engagement touch base every day, every other day as work progresses. If a highly critical issue is discovered, all work stops, and the engineers will get on the phone with you. We don’t believe in a situation where a critical vulnerability is only shared in a report, weeks after the discovery.

Now the reports are in your hands. We keep those reports for ~90 days – after that, all reports are purged from the system. During that 90 days, we can supply replacement copies – we can also supply the password used for encryption, if you’ve misplaced it. Sanitized copies of reports can be produced as well, for dissemination to vendors, clients, regulatory bodies, or any interested parties that you need to share this information with – a small fee may apply.

At the end of the day, the question is – who did you help today? It’s rare for MSI to end the day where we can’t answer that question in multiple avenues. It’s one of my favorite things, and we’d love to help you!

Yo, MSI Raps Podcast Episode 1

This is the latest version of Yo, MSI Raps. We have decided to make these episodes open to public finally, so we will start with this one.

This is an open round table discussion between members of the MSI Technical Team. It is candid, friendly and, we hope, interesting. 🙂

This time around, the team talks about privacy, the news around the NSA collection of data and impacts of surveillance on liberty. 

You can check out the podcast here!

Look for these sessions to be released more frequently and on topics that are in the news. We hope you enjoy them, and feel free to give us feedback via Twitter (@lbhuston or @microsolved) and/or via the comments section.

Thanks for listening!

Audio Blog Post – IT History: An Interview with Brent’s Mom

Today, I got to do something pretty cool! I got to record a quick interview about the history of IT and what some of today’s technologies look like through the eyes of someone who has done IT for the last 40 years. Even cooler than that, I got to interview MY MOM! 

Check this out; as she discusses mainframes, punch cards and tape vaults, insights about mainframe authentication and even quality control in the mainframe environment. She even gives advice to IT folks approaching retirement age and her thoughts on the cloud. 

She closes with a humorous insight into what she thinks of my career and when she knew I might be a hacker. 🙂

It’s good stuff, and you can download the audio file (m4a format) by clicking here. 

Thanks for listening and let me know if you have other IT folks, past or present, you think we should be talking to. I’m on Twitter (@lbhuston) , or you can respond in the comments.

Interview with Brent Huston: Meet “Paul,” An Attacker — Up Close and Personal

Many organizations we talk to still vastly underestimate the capability of the threat. They still think of the attackers and the hackers as folks who are trying to use canned exploits or use the latest version of metasploits to pop a bunch of boxes — that’s just frankly not true. “Paul” is proficient in eight different coding languages. [He’s skilled and learning.] That needs to become the mindset of the defender. – Brent Huston, CEO and Security Evangelist, MicroSolved, Inc.

What would you do if you met an attacker online? Give him a piece of your mind? Or dig a little deeper to find out what motivates him and how he operates? In this special interview, Brent Huston discusses a recent incident where he had such an opportunity.  In this fascinating conversation, Brent described how he met Paul and his attitude toward meeting another “up and coming” hacker. Take a listen! Discussion questions include:

  • How Brent tracked Paul down
  • What was Paul’s attitude toward Brent and his questions
  • A little about Paul and his skills
  • What does Paul use his compromised systems for?
  • What lessons can organizations draw from this encounter?

Interview Participants:
Brent Huston, CEO, Founder, and Security Evangelist
Mary Rose Maguire, Marketing Communication Specialist and moderator

Click the embedded player to listen. Or click this link to access downloads. Stay safe!